Share this story

As the result of a Freedom of Information Act request filed by the American Civil Liberties Union, the Department of Justice has revealed, for the first time, the types of secret letters that the government can send out to ISPs and other tech companies being asked to reveal personal data about their users and customers who are being investigated for national security reasons. In 2009, over 6,000 Americans received such National Security Letters (NSLs).

According to the Wall Street Journal, the “letters show that the FBI is now informing people who receive the letters how they can challenge the documents in court. But some key elements of the letters remain blocked from view—including lists of material the FBI says companies can send in response to the letter.”

Most commonly, government investigators request names and addresses associated with phone and Internet records. There are also some especially broad requests, including “electronic communications transactional records,” and “Internet activity logs.” However, it remains unclear exactly what those terms mean, and how companies comply or don’t comply with such requests is also a mystery.

“You are hereby directed to provide the Federal Bureau of Investigation (FBI) the names, addresses, and length of service and electronic communications transactional records, to include existing transaction/activity logs and all electronic mail (e-mail) header information, for the below listed [e-mail/IP] address holder(s): [e-mail/IP address or addresses] [on a specific date] or [For the period from [specific date] to [specific date][present],” the template states.

The newspaper also reported that exactly what information is disclosed to federal authorities is not usually made public. In requests for comment, Verizon and AT&T said they did not comment on national security matters, while Google and Twitter said they merely comply with “valid legal process,” but that they would notify users of such requests whenever possible.

Facebook, interestingly, has taken a much more narrow interpretation of the law.

“We interpret the national security letter provision as applied to Facebook to require the production of only two categories of information: name and length of service,” said Fred Wolens, a public policy spokesman for the social networking giant, as quoted by the WSJ.

Government argues such letters are "integral"

Use of such letters, which originated in the 1970s and 1980s, expanded in the wake of the Patriot Act (2001)—the government has since maintained that these letters are crucial for federal investigations.

“NSLs are integral to determining whether, how, and by whom our nation is being put at risk,” then Acting Assistant Attorney General for National Security Todd Hinnen told a House Judiciary subcommittee last year in written remarks.

Worse still, just last month, Wired reported that the FBI says that few companies nor individual recipients ever challenge these letters. NSLs, even after they have been challenged, can have lasting effects. Even the first person to successfully challenge receiving such a letter, Nicholas Merrill, whose investigation was later dropped, is still under a gag order forbidding him from discussing exactly what specific information the FBI wanted.

Privacy watchdogs have lauded this disclosure, but say that they want federal authorities to be much more forthcoming as to how the NSLs are used and possibly misused.

“The fact that we are just now seeing these templates shows how little we know about the NSL process, and how much we still have to learn,” wrote Steven Aftergood, director of the Federation of American Scientists, and an anti-secrecy advocate, in an e-mail sent to Ars on Thursday.

Share this story

Cyrus Farivar
Cyrus is a Senior Tech Policy Reporter at Ars Technica, and is also a radio producer and author. His latest book, Habeas Data, about the legal cases over the last 50 years that have had an outsized impact on surveillance and privacy law in America, is out now from Melville House. He is based in Oakland, California. Emailcyrus.farivar@arstechnica.com//Twitter@cfarivar